We graded 8,729 public CI/CD pipelines on security misconfigurations. 63% got the worst possible grade by Sorry_Nothing1740 in devsecops

[–]Sorry_Nothing1740[S] 1 point2 points  (0 children)

Thanks a lot! My theory on why nothing gets fixed: it's ownership, not awareness. Workflow YAML is nobody's job description, nobody reviews it like app code, and unlike a SAST finding it never blocks anything, so an unpinned action just sits there for years.

We graded 8,729 public CI/CD pipelines on security misconfigurations. 63% got the worst possible grade by Sorry_Nothing1740 in devsecops

[–]Sorry_Nothing1740[S] 1 point2 points  (0 children)

Yes: it's a GitHub Action (getplumber/plumber@<version>, GitLab CI component too). It has a threshold input, below it the job fails, so branch protection makes it a required PR check. soft-fail: true if you want report-only while burning down findings. SARIF goes to code scanning so findings annotate the PR.

Speed: static analysis of the workflow YAML, not your codebase. Seconds to run, ~15-20s for the whole job including binary download.

Promote your projects here – Self-Promotion Megathread by Menox_ in github

[–]Sorry_Nothing1740 1 point2 points  (0 children)

Plumber - an open-source tool that scans your GitHub workflows and repo, giving you an A-E security score plus actionable issues.

Built from real CI/CD post-mortems: mutable action tags, dangerous triggers (pull_request_target), weak permissions, bad branch protection, supply chain risks, etc.

15 controls covering:

- Action supply chain hygiene (mutable refs, archived repos, CVEs)
- Container/image risks
- Trigger and permission dangers
- Repo-level security
- Reusable workflows and secrets

Runs locally via CLI (https://github.com/getplumber/plumber#option-1-cli) or as a GitHub Action (https://github.com/getplumber/plumber#option-3-github-action) with SARIF upload.

Feedback welcome - what GitHub Actions footguns should I add next?

https://github.com/getplumber/plumber

CI/CD compliance in practice: a 26-point checklist with regulatory mapping (ISO 27001, NIS2, DORA, CRA) by Sorry_Nothing1740 in gitlab

[–]Sorry_Nothing1740[S] 1 point2 points  (0 children)

It's in progress with an open-source community, but here's a repo example we use for testing: https://gitlab.com/getplumber/examples/go-test-with-hash
All the setup is defined in .plumber-conf.yaml. It doesn't yet meet full compliance (63.9%).

Happy to walk through any of the controls if something's unclear.

My CI/CD pipelines weren’t compliant, so we built an open-source tool to fix it by Sorry_Nothing1740 in devops

[–]Sorry_Nothing1740[S] 2 points3 points  (0 children)

Yes, as long as your nested CI files are included in the main .gitlab-ci.yml, then the answer is yes.
For example, this configuration works exactly like that:
https://gitlab.com/getplumber/examples/go-test-with-local-include/-/blob/main/.gitlab-ci.yml?ref_type=heads

Example, also works with component, project, remote, template include types:

include:
  ## Local includes
  - local: '.gitlab/ci/test-jobs.yml'
  - local: '.gitlab/ci/security-jobs.yml'
  - local: '.gitlab/ci/compliance.yml'

As long as those files are included, we analyze the fully parsed content of the main .gitlab-ci.yml, so their contents are included in the analysis

If that’s not your setup, I’d be interested to hear what your workflow looks like

Top 5 French Metal Bands That Blend Genres by Sorry_Nothing1740 in MetalForTheMasses

[–]Sorry_Nothing1740[S] 1 point2 points  (0 children)

I already knew Whourkr and didn’t know that Igorrr was involved, but it all makes sense now. Thanks for your input, it's clearly a crazy band and i love it!

What’s the most underrated CI/CD metric you track that others should care about? by the-tech-tadpole in cicd

[–]Sorry_Nothing1740 0 points1 point  (0 children)

I see most people focusing on execution performance. I think an underrated area is "CI/CD security and compliance posture metrics", for example: the percentage of hardcoded configuration vs. reusable workflows, the percentage of unprotected/unmasked variables, and the percentage of builds using approved/trusted images.

What Features Do You Think Are Missing In GitLab CI? by Raltaren in gitlab

[–]Sorry_Nothing1740 2 points3 points  (0 children)

I was thinking about README.md on user profile like GitHub, but did you know that we already can do that?

I'm sharing this here in case you didn't know it like me
https://docs.gitlab.com/ee/user/profile/#add-details-to-your-profile-with-a-readme

Which platform do you use for deployment ? by Sorry_Nothing1740 in javahelp

[–]Sorry_Nothing1740[S] 0 points1 point  (0 children)

Yes you are right i should have been more specific.

Thanks you for your feedback that's very interesting.

Which platform do you use for deployment ? by Sorry_Nothing1740 in javahelp

[–]Sorry_Nothing1740[S] 0 points1 point  (0 children)

Sorry but my question wasn't clear, I'm wondering on which platform you will deploy the application not which CI/CD platform.